diff options
| author | millert <> | 2003-09-25 21:14:46 +0000 |
|---|---|---|
| committer | millert <> | 2003-09-25 21:14:46 +0000 |
| commit | eb717357116944737cfa779dc09332ab7cbb4f43 (patch) | |
| tree | f399561ad64caec4c1a33f052e4bb8cf5f3d9c4c | |
| parent | c6223f04e5580b6affc19d5f7518c523814b7da8 (diff) | |
| download | openbsd-eb717357116944737cfa779dc09332ab7cbb4f43.tar.gz openbsd-eb717357116944737cfa779dc09332ab7cbb4f43.tar.bz2 openbsd-eb717357116944737cfa779dc09332ab7cbb4f43.zip | |
Do check for current pointer vs. buffer end before touching any
elements in the buffer. Fixes an out of bounds access.
From aaron@; OK deraadt@
| -rw-r--r-- | src/lib/libc/net/ns_ntoa.c | 4 | ||||
| -rw-r--r-- | src/lib/libc/net/rcmd.c | 10 |
2 files changed, 7 insertions, 7 deletions
diff --git a/src/lib/libc/net/ns_ntoa.c b/src/lib/libc/net/ns_ntoa.c index 019e8b0a59..fd67e459da 100644 --- a/src/lib/libc/net/ns_ntoa.c +++ b/src/lib/libc/net/ns_ntoa.c | |||
| @@ -28,7 +28,7 @@ | |||
| 28 | */ | 28 | */ |
| 29 | 29 | ||
| 30 | #if defined(LIBC_SCCS) && !defined(lint) | 30 | #if defined(LIBC_SCCS) && !defined(lint) |
| 31 | static char rcsid[] = "$OpenBSD: ns_ntoa.c,v 1.12 2003/06/02 20:18:35 millert Exp $"; | 31 | static char rcsid[] = "$OpenBSD: ns_ntoa.c,v 1.13 2003/09/25 21:14:46 millert Exp $"; |
| 32 | #endif /* LIBC_SCCS and not lint */ | 32 | #endif /* LIBC_SCCS and not lint */ |
| 33 | 33 | ||
| 34 | #include <sys/param.h> | 34 | #include <sys/param.h> |
| @@ -53,7 +53,7 @@ ns_ntoa(struct ns_addr addr) | |||
| 53 | cp = spectHex(obuf); | 53 | cp = spectHex(obuf); |
| 54 | rem = sizeof(obuf) - (cp - obuf); | 54 | rem = sizeof(obuf) - (cp - obuf); |
| 55 | cp2 = cp + 1; | 55 | cp2 = cp + 1; |
| 56 | while (*up==0 && up < uplim) | 56 | while (up < uplim && *up==0) |
| 57 | up++; | 57 | up++; |
| 58 | if (up == uplim) { | 58 | if (up == uplim) { |
| 59 | if (port) { | 59 | if (port) { |
diff --git a/src/lib/libc/net/rcmd.c b/src/lib/libc/net/rcmd.c index f37cb785be..769e85e0a4 100644 --- a/src/lib/libc/net/rcmd.c +++ b/src/lib/libc/net/rcmd.c | |||
| @@ -29,7 +29,7 @@ | |||
| 29 | */ | 29 | */ |
| 30 | 30 | ||
| 31 | #if defined(LIBC_SCCS) && !defined(lint) | 31 | #if defined(LIBC_SCCS) && !defined(lint) |
| 32 | static char *rcsid = "$OpenBSD: rcmd.c,v 1.47 2003/07/11 22:39:21 deraadt Exp $"; | 32 | static char *rcsid = "$OpenBSD: rcmd.c,v 1.48 2003/09/25 21:14:46 millert Exp $"; |
| 33 | #endif /* LIBC_SCCS and not lint */ | 33 | #endif /* LIBC_SCCS and not lint */ |
| 34 | 34 | ||
| 35 | #include <sys/param.h> | 35 | #include <sys/param.h> |
| @@ -485,7 +485,7 @@ __ivaliduser_sa(hostf, raddr, salen, luser, ruser) | |||
| 485 | p = buf; | 485 | p = buf; |
| 486 | if (*p == '#') | 486 | if (*p == '#') |
| 487 | continue; | 487 | continue; |
| 488 | while (*p != '\n' && *p != ' ' && *p != '\t' && p < buf + buflen) { | 488 | while (p < buf + buflen && *p != '\n' && *p != ' ' && *p != '\t') { |
| 489 | if (!isprint(*p)) | 489 | if (!isprint(*p)) |
| 490 | goto bail; | 490 | goto bail; |
| 491 | *p = isupper(*p) ? tolower(*p) : *p; | 491 | *p = isupper(*p) ? tolower(*p) : *p; |
| @@ -495,13 +495,13 @@ __ivaliduser_sa(hostf, raddr, salen, luser, ruser) | |||
| 495 | continue; | 495 | continue; |
| 496 | if (*p == ' ' || *p == '\t') { | 496 | if (*p == ' ' || *p == '\t') { |
| 497 | *p++ = '\0'; | 497 | *p++ = '\0'; |
| 498 | while ((*p == ' ' || *p == '\t') && p < buf + buflen) | 498 | while (p < buf + buflen && (*p == ' ' || *p == '\t')) |
| 499 | p++; | 499 | p++; |
| 500 | if (p >= buf + buflen) | 500 | if (p >= buf + buflen) |
| 501 | continue; | 501 | continue; |
| 502 | user = p; | 502 | user = p; |
| 503 | while (*p != '\n' && *p != ' ' && | 503 | while (p < buf + buflen && *p != '\n' && *p != ' ' && |
| 504 | *p != '\t' && p < buf + buflen) { | 504 | *p != '\t') { |
| 505 | if (!isprint(*p)) | 505 | if (!isprint(*p)) |
| 506 | goto bail; | 506 | goto bail; |
| 507 | p++; | 507 | p++; |